brend-store.ru hijacked my site via a plugin

I tried to download the Maintenance Mode plugin for my site and it redirected me to scareware. I immediately closed my browser, but it wasn’t enough. My site has now been hijacked by brend-store.ru. I’ve found two other cases of this hijacker, but not enough to get the support I need. I currently have an “under construction” page up to stop my site from redirecting to the malicious site, but the rest of my site is still messed up. Any help would be greatly appreciated!

Did you TRY to download a plugin that did it? I read all of the articles from WordPress already and nothing helped. I didn’t want to have to restart everything, so I logged into my server and deleted anything that didn’t look necessary. Somewhere along the way, I deleted the right thing. I think it was in the Downloads folder.

Ok, after much trouble. I realized this is a .htaccess code injection hack/virus. Every site on my host/server had a corrupted/injected .htaccess file redirecting sites to brend-store.ru. I manually went through every file and removed this hack. They placed the code about 200 lines down to hide it, and to the right (if you edit via a text editor).

I still have no idea how this hack/virus came about. But it did infect my whole hosting account (JustHost.com), so I am contacting them to take further cautionary steps.

I contacted my host, who removed the rest I didn’t find. You’re right. All the articles say check .htaccess, but they inject a fake one in EVERY folder. This hack seems to be common but not often talked about, probably because many people wouldn’t notice and would assume their site is just messed up.

I hope plugin owners start checking their own stuff more often because others not noticing is how it’s spreading. Let me know if your hosting provider gives you any helpful hints 🙂

My host has been no help unfortunately! They said, “your site is fine.” Haha BULL! Anyway, I hope the “internet police” find the bottom line of this problem. I don’t like thinking it can happen again without me knowing how to stop it.

My host thankfully removed EVERY little trace for me. I know there are WordPress security plugins, but I don’t know how effective they are against hijacking and injected files. I’m really hesitant about downloading any updates or plugins with this thing infecting WordPress…

Glad to hear your host helped. Yea, it does seem to infect mostly WordPress users, but it also infected sites on my host that were not WordPress sites. I think somehow the hackers are gaining FTP access through some WordPress hack and then infecting all folders/sites on the server. I am weary to download ANYTHING at this point!

If the attacker has somehow managed to exploit your wordpress site and upload a shell script in there then he can do whatever he wishes into your account, thus being able to infect all your other websites and plan even more backdoor scripts.

The hackers got into my stuff again, like you mentioned Hetrix. They didn’t get in through SSH, just FTP. I cleaned up all .htaccess files last night, and they re-injected them today, to direct to another spam site, not brent-store.ru however.

And my host is no help, so thankfully some good friends are helping my tighten ship.

I posted on the forum of the plugin that was ALSO hijacked and gave the problem to me…

I was rudely told not to make such accusations and they linked to THIS support thread to say I have taken back my accusation and it was my server’s fault. Then they closed my post. Um…my server FIXED it. It was still the Maintenance Mode plugin that gave it to me. Not intentionally, but I believe it is infected too. You’d think you could find better help online eh dontbegauche?

I’d look into changing hosting. There are times when my hosting provider is the only one who can save me.

I went into my backend. I went to plugins. I did a search for it as I’ve used it several times before. I downloaded it from the official location, and it redirected me to a scareware site…the same one my site started redirecting to. I ran Malwarebytes on my computer. Nothing.

I checked my backend, most of the fake inserted .htaccess files giving me trouble were in my plugins folder in the Maintenance Mode plugin files. This all also ONLY affected my site I installed Maintenance Mode to and it happened the second I tried. All subdomains and other domains on the same sever were unaffected. It was NOT my hosting provider. It was this plugin.

I love Maintenance Mode. I’ve used it many times. However, it was the ONLY thing I was trying to change and there seems to have been some other complains around the day I had my trouble, but the forum admins are closing all topics on the matter. I just checked it again on a superfluous domain. It seems to be working fine now. I don’t think it was Maintenance Mode’s fault, but I do think it was temporarily hijacked or something of that nature.

I checked your other post. As esmi pointed out, the odds are it’s NOT the plugin but the SOURCE (which has not been updated in 8 months). Now, since you said wordpress.org is the source, I would speculate further that your site actually was already compromised somehow and the installation of ANY plugin would have triggered that.

Esmi wasn’t being rude, by the way. She’s a well respected, well educated and highly knowledgeable moderator of these forums. Terse, yes, but she rightly pointed out the odds are that it’s NOT the plugin. And as she pointed out, if you feel it’s the plugin, email plugins@wordpress.org and explain the situation.

Seriously, the odds are your account on that server is compromised.

Start out by following kmessinger’s advice. Get your site CLEAN. Use http://sitecheck.sucuri.net/scanner/ to scan your install. Change ALL YOUR PASSWORDS. Search your site for any other /htaccess files.

dontbegauche – Change passwords, obviously, but also make a backup of your site and then nuke everything that isn’t in wp-content. Upload it all fresh. For what IS in wp-content, delete the plugins and themes and get fresh copies of THEM as well. Make sure you permissions are good (775 for wp-content/uploads). Change the WP passwords as well as FTP/SSH. Use the Sucuri scan.

Also, as always, talk to your host. Tell them your account may have been compromised. Sadly, if they’re incompetent and can’t (or won’t) help you, I would STRONGLY suggest moving to a better host. A good host will help you dig this out.